CN-122001611-A - Attack behavior identification method based on multi-modal space-time diagram convolution

Abstract

The application discloses an attack behavior identification method based on multi-modal space-time diagram convolution, relates to the technical field of network security protection, and solves the problems of low identification accuracy and reliability of attack behaviors in the prior art. According to the embodiment of the application, semantic features, space-time features and behavior association features are fused into multi-mode features, the similarity between the multi-mode features and historical feature samples of different attack types is calculated to be matched with the attack types, cross-equipment and cross-protocol attack chain association analysis can be realized, the recognition precision and reliability are improved, and the corresponding detection rules are injected into the attack target node by predicting the predicted attack behaviors possibly suffered by the attack target node in the next attack stage, so that the predicted attack behaviors are recognized in time, and the response speed of safety protection is improved.

Inventors

• LIAN YUTING
• XIE PENGYU
• MENG LIANG
• XIE MING
• ZENG MINGFEI
• XIE JING
• Zeng Hushuang
• CHEN LINA
• LI SIWEI
• Wu Mingzhan

Assignees

• 广西电网有限责任公司

Dates

Publication Date

20260508

Application Date

20251205

Claims (10)

1. 1. An attack behavior identification method based on multi-modal space-time diagram convolution, which is characterized by comprising the following steps: acquiring a security log and network topology of a power network and state data of power equipment in the power network, wherein the security log comprises an alarm for abnormal behaviors; Extracting multi-modal features of the abnormal behavior based on the security log, the network topology and the state data, wherein the multi-modal features are obtained by aggregation based on semantic features, space-time features and behavior association features, the semantic features are obtained based on alarm fields corresponding to the abnormal behavior, the space-time features are obtained based on alarm nodes corresponding to the abnormal behavior in the network topology, the state data and a space-time diagram convolution network, the behavior association features are obtained based on the semantic features, the space-time features and an attack stage transition probability matrix, and the behavior association features are used for indicating probabilities that the abnormal behavior is in each attack stage; Determining the attack type of the abnormal behavior based on the similarity between the multi-modal characteristics of the abnormal behavior and the historical characteristic samples of various attack types; Predicting a next attack stage and an attack target node of the next attack stage based on the behavior association characteristic and the attack stage transition probability matrix; And sending a detection rule to the attack target node based on the attack type of the abnormal behavior, wherein the detection rule is used for detecting the predicted attack behavior of the next attack stage, and the predicted attack behavior is obtained based on the attack type of the abnormal behavior.
2. 2. The method of claim 1, wherein the space-time diagram convolutional network comprises a spatial convolutional layer and a temporal convolutional layer, and wherein the extracting of the space-time features comprises: determining a target sub-topology from the network topology based on the alarm node, and acquiring target state sub-data corresponding to the target sub-topology from the state data; Inputting the target state sub-data into the space-time diagram convolution network to obtain the space-time characteristics output by the space-time diagram convolution network, wherein the space convolution layer is used for carrying out convolution operation on first input data by using chebyshev polynomial approximation, and the time convolution layer is used for carrying out time sequence dependency relation extraction on second input data by using one-dimensional causal convolution.
3. 3. The method according to claim 1, wherein the behavior-related feature extraction procedure includes: mapping the business semantic labels in the semantic features into attack stages and giving basic confidence on the basis of a mapping relation between preset power industrial control semantics and attack framework semantics; calculating the space-time anomaly degree of the anomaly behavior based on the space-time features; weighting and adjusting the basic confidence coefficient based on the space-time anomaly coefficient to obtain an adjusted confidence coefficient; and calculating probability distribution of the abnormal behavior in each attack stage based on the attack stage transition probability matrix and the adjusted confidence coefficient to obtain the behavior association characteristic.
4. 4. The method of claim 1, wherein the security log further comprises threat intelligence, wherein the attack type comprises a first attack type, wherein prior to determining the attack type for the anomalous behavior based on similarity of the multimodal features of the anomalous behavior to historical feature samples for various attack types, the method further comprises: classifying the historical abnormal behavior into a plurality of attack types based on semantic tags of the historical abnormal behavior; setting a similarity threshold for each attack type; Reducing a first similarity threshold corresponding to the first attack behavior under the condition that the threat information indicates that the attack behavior of the first attack type has occurred; The determining the attack type of the abnormal behavior based on the similarity between the multi-mode feature of the abnormal behavior and the historical feature samples of various attack types comprises the following steps: and under the condition that the similarity between the multi-mode characteristics of the abnormal behavior and the historical characteristic samples corresponding to the first attack type is larger than the first similarity threshold, determining that the attack type of the abnormal behavior is the first attack type.
5. 5. The method of claim 1, wherein predicting a next attack stage based on the behavioral correlation characteristics and the attack stage transition probability matrix, and an attack target node for the next attack stage, comprises: obtaining probability distribution of the next attack stage based on the behavior association characteristics and the attack stage transition probability matrix; based on the probability distribution of the next attack stage, sorting according to the probability from high to low to obtain a sorting result; And determining a node bearing the corresponding service function as the attack target node based on the first k attack stages summarized by the sequencing results and the corresponding relation between the preset attack stages and the service function, wherein the shortest path distance between the node bearing the corresponding service function and the alarm node is smaller than a first preset hop count.
6. 6. The method of claim 1, wherein the sending detection rules to the attack target node based on the type of attack of the anomalous behavior comprises: acquiring the detection rule based on the attack type of the abnormal behavior and the next attack stage; and sending the detection rule to the attack target node so that the attack target node monitors the operation conforming to the predicted attack behavior.
7. 7. The method according to any one of claims 1-6, wherein the attack stage transition probability matrix construction flow includes: Constructing an M x M-dimensional attack stage transition probability matrix P, wherein M is the number of attack stages; The element P [ i, j ] in the attack stage transition probability matrix P is obtained through historical attack data statistics, and the value of the element P [ i, j ] is obtained by dividing the frequency of transition from the attack stage i to the attack stage j by the total frequency of transition from the attack stage i to all other attack stages.
8. 8. An attack behaviour recognition system based on multi-modal space-time diagram convolution, applied to the method of any one of claims 1-7, the system comprising: The system comprises an acquisition module, a control module and a control module, wherein the acquisition module is used for acquiring a security log and network topology of a power network and state data of power equipment in the power network, and the security log comprises an alarm for abnormal behavior; The extraction module is used for extracting the multi-modal characteristics of the abnormal behaviors based on the security log, the network topology and the state data; the multi-modal feature is obtained based on semantic features, space-time features and behavior association features, the semantic features are obtained based on alarm fields corresponding to the abnormal behaviors, the space-time features are obtained based on alarm nodes corresponding to the abnormal behaviors in the network topology, the state data and a space-time diagram convolution network, the behavior association features are obtained based on the semantic features, the space-time features and an attack stage transition probability matrix, and the behavior association features are used for indicating the probability that the abnormal behaviors are in each attack stage; The classification module is used for determining the attack type of the abnormal behavior based on the similarity between the multi-mode characteristics of the abnormal behavior and the historical characteristic samples of various attack types; The prediction module is used for predicting a next attack stage and an attack target node of the next attack stage based on the behavior association characteristics and the attack stage transition probability matrix; and the response module is used for sending a detection rule to the attack target node based on the attack type of the abnormal behavior, wherein the detection rule is used for detecting the predicted attack behavior of the next attack stage, and the predicted attack behavior is obtained based on the attack type of the abnormal behavior.
9. 9. A computing device, comprising: A memory for storing a program; a processor for loading the program to perform the method of any of claims 1-7.
10. 10. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored program, wherein the program, when run, controls a device in which the computer readable storage medium is located to perform the method of any one of claims 1-7.

Description

Attack behavior identification method based on multi-modal space-time diagram convolution Technical Field The invention relates to the technical field of network security protection, in particular to an attack behavior identification method based on multi-modal space-time diagram convolution. Background With the deep advancement of smart grid construction, the electric power system has gradually developed into a complex network system integrating power generation, transmission, transformation, distribution, power consumption and scheduling, and the operation of the complex network system depends on a large number of intelligent electronic devices, industrial control protocols and data communication links. Meanwhile, the high informatization and interconnection of the power network make the power network become a key target of network attack, and an attack means has the characteristics of strong concealment, complex propagation path and high cross-domain synergy, and once the power network is attacked, serious consequences such as large-area power failure, power equipment damage and the like can be caused, so that the power network constitutes a great threat to national energy safety and social stability. Currently, the electric network attack detection technology mainly relies on a static rule base, when the monitored network behavior is matched with the known characteristics in the rule base, an alarm is triggered, and the fixed rule easily causes false alarm in a special scene. Meanwhile, the mode is generally to identify abnormal behaviors deviating from a normal baseline by carrying out statistical analysis on network traffic, running states and other time data of a single device or a single protocol. However, this approach focuses on the local nature of the individual monitoring points, lacking the capability of correlation analysis across devices, across protocol attack chains, resulting in a false negative. In view of this, there is a need for an attack behavior recognition method based on multi-modal space-time diagram convolution. Disclosure of Invention Aiming at the problem of low recognition accuracy and reliability of attack behaviors in the prior art, the invention provides the attack behavior recognition method based on multi-modal space-time diagram convolution, which can improve the recognition accuracy and reliability of attack behaviors. The specific technical scheme is as follows: in a first aspect, an embodiment of the present application provides a method for identifying an attack behavior based on multi-modal space-time diagram convolution, where the method includes: The method comprises the steps of obtaining a security log of an electric power network, obtaining a network topology and state data of electric power equipment in the electric power network, wherein the security log comprises alarms of abnormal behaviors, extracting multi-mode features of the abnormal behaviors based on the security log, the network topology and the state data, wherein the multi-mode features are obtained based on aggregation of semantic features, time-space features and behavior association features, the semantic features are obtained based on alarm fields corresponding to the abnormal behaviors, the time-space features are obtained based on alarm nodes corresponding to the abnormal behaviors in the network topology, the state data and a time-space diagram convolution network, the behavior association features are obtained based on the semantic features, the time-space features and an attack stage transition probability matrix, the behavior association features are used for indicating the probability that the abnormal behaviors are in each attack stage, determining attack types of the abnormal behaviors based on similarity of the multi-mode features of the abnormal behaviors and historical feature samples of various attack types, predicting the next attack stage based on the behavior association features and the attack stage transition probability, sending detection rules to the target nodes based on the abnormal behaviors, and detecting the target nodes based on the detection rules of the abnormal behaviors are used for predicting the attack stage and the attack stage transition probability. The space-time diagram convolution network comprises a space convolution layer and a time convolution layer, wherein the space-time characteristic extraction flow comprises the steps of determining a target sub-topology from the network topology based on the alarm node, acquiring target state sub-data corresponding to the target sub-topology from the state data, inputting the target state sub-data into the space-time diagram convolution network to obtain the space-time characteristic output by the space-time diagram convolution network, and the space convolution layer is used for carrying out convolution operation on first input data by using chebyshev polynomial approximation and carrying out time sequence depende